security

问题 Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection? 回答1: SQL injection and Cross-Site Scripting (a.k.a. XSS or Script Injection) are different problems. 1) SQL Injection is very easy, always use parametrized queries (SQLParameter) and try really hard to NEVER do sp_exec @query within T-SQL stored procedures. .Net parametrized queries will not protect against this second order injection. 2) XSS is more difficult to universally

问题 Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection? 回答1: SQL injection and Cross-Site Scripting (a.k.a. XSS or Script Injection) are different problems. 1) SQL Injection is very easy, always use parametrized queries (SQLParameter) and try really hard to NEVER do sp_exec @query within T-SQL stored procedures. .Net parametrized queries will not protect against this second order injection. 2) XSS is more difficult to universally

问题 I have seen some guidance which recommends that you secure a database by layering all data access through stored procedures. I know that for SQL Server, you can secure tables, and even columns against CRUD operations. For example: --// Logged in as 'sa' USE AdventureWorks; GRANT SELECT ON Person.Address(AddressID, AddressLine1) to Matt; GRANT UPDATE ON Person.Address(AddressLine1) to Matt; --// Logged in as 'Matt' SELECT * from Person.Address; --// Fail SELECT AddressID, AddressLine1 from

问题 I'm working on corporate API, that is available for corporate services, where MITM can have terrible consequences. We decided to use HTTPs instead of HTTP, but after googling i understood that SSL only is not enough. As i understand, there are two main vulnerabilities while using SSL: 1) There are many CA provider companies now, so nobody is protected from MITM attack, where normal certificate is used by crackers (i found some articles, where it was said that VeriSign had secret department,

问题 I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks. Explanation: It has been suggested many places, for example here to use cookies on top of localStorage while storing the auth-token. A very nice explanation is also provided in answer of another question here. Based on these answers, for secured contents, it is suggested to use cookies with ‘httpOnly’ and ‘secure’ options to avoid XSS; and

问题 We are using the keytool bundled with the java installation to generate keys to do an asymmetric RSA encryption. In the light of recent events somebody asked me whats happening under the hood of the java keytool. Especially regarding the randomness of the resulting numbers. (e.g. "huh why isn't there any random user input taken like mouse movements or keyboard input?" So what are the 'randomness sources' of the java keytool to create its keys? I did a quick research myself however the only

问题 I have legacy C++ code that changes a process DACL and am trying to use the managed code classes in .NET 3.5. I found code on the web where someone created a SetAclOnServices class that extends the NativeObjectSecurity class for services. I thought that I could implement this and just change the ResourceType.Service to ResourceType.KernelObject but when I call GetAccessControl it fails with File Not Found error. 回答1: Merry Christmas. public class ProcessSecurity : NativeObjectSecurity {

问题 I have legacy C++ code that changes a process DACL and am trying to use the managed code classes in .NET 3.5. I found code on the web where someone created a SetAclOnServices class that extends the NativeObjectSecurity class for services. I thought that I could implement this and just change the ResourceType.Service to ResourceType.KernelObject but when I call GetAccessControl it fails with File Not Found error. 回答1: Merry Christmas. public class ProcessSecurity : NativeObjectSecurity {

问题 I want to generate a RSA keypair in the Android Keystore. Since Android 4.3 is should be possible to generate RSA keys in the Android system Keystore. I generate my RSA key by (works fine) Calendar notBefore = Calendar.getInstance(); Calendar notAfter = Calendar.getInstance(); notAfter.add(1, Calendar.YEAR); KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx) .setAlias("key") .setSubject( new X500Principal(String.format("CN=%s, OU=%s", "key", ctx.getPackageName())))

问题 I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection". I get the procedure to add these headers but i am not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx http://content-security-policy.com/ Please suggest. Thanks 回答1: From this post, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration